FreeIPA pam account configuration

asked 2015-03-04 06:45:22 -0600

schkrat gravatar image

Hello..

I have a server FreeIPA connected with Windows AD server. Here is some environment data:

freeipaad.schkrat.local (Active Directory , DNS MS Windows Server 2012 R2 Datacenter Evaluation x64) ipaserver.schkrat.ipa (FreeIPA server, CentOS release 6.6 (Final) x64)

IPA version components: sssd-ipa-1.11.6-30.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-server-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.11.6-30.el6.x86_64 ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-server-trust-ad-3.0.0-42.el6.centos.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-client-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-python-3.0.0-42.el6.centos.x86_64 libipa_hbac-1.11.6-30.el6.x86_64

HBAC test works:

ipa hbactest --user=wintest --host=ipbclient.schkrat.ipa --service=sshd

Access granted: True

Matched rules: access_all

We have a valid TRUST with AD:

[root@ipaserver sssd]# ipa trust-find

1 trust matched

Realm name: schkrat.local Domain NetBIOS name: SCHKRAT Domain Security Identifier: S-1-5-21-957296299-3555775235-3719493031

Trust type: Active Directory domain

Number of entries returned 1

The problem is when HBAC rule is set so that under "WHO" we select windows user. Then SSH stops working:

Before HBAC: Feb 17 08:21:07 ipbclient sshd[30058]: Accepted password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 34719 ssh2 Feb 17 08:21:07 ipbclient sshd[30058]: pam_unix(sshd:session): session opened for user wintest@SCHKRAT.LOCAL by (uid=0

After HBAC: Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233 user=wintest@SCHKRAT.LOCAL Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:account): Access denied for user wintest@SCHKRAT.LOCAL : 6 (Permission denied) Feb 17 08:21:55 ipbclient sshd[30089]: Failed password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 34733 ssh2 Feb 17 08:21:55 ipbclient sshd[30091]: fatal: Access denied for user wintest@SCHKRAT.LOCAL by PAM account configuration

So what am i missing ?

edit retag flag offensive close merge delete